Re: [codec] AD Evaluation of draft-ietf-codec-opus-update-07

Jean-Marc Valin <> Wed, 26 July 2017 05:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 18BA8131E25 for <>; Tue, 25 Jul 2017 22:09:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DIZwYzYQ4Hye for <>; Tue, 25 Jul 2017 22:09:05 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 87377124D68 for <>; Tue, 25 Jul 2017 22:09:05 -0700 (PDT)
Received: by with SMTP id v205so44876598itf.1 for <>; Tue, 25 Jul 2017 22:09:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=ELXWcFC3aEetKRDGyQcYFgvLPz5cP4K/kHjSzq1MPoM=; b=XulfFnBse1iiwfc7UX0SPATFu+j1V8p40pxO0YOzz2z5mhFO3CsoK9Gn9tqBa6Xh32 Gj/GvVOkJDq4x0scz36OKjm7DAcr+GwlcS0WTgduNVNy5j1AVxkrlB3AJBVs2QHfh37d l5lSs+RSjyZOBj+UQT4lfLcHvozSNO7DEJQCVXo239TyEDA4G66qIubhwa94WCR44b7X unduLrffFML39Zj19pc9eVlaPaWspPEGmj/3V7ukAmESLMxtn6Wd5MWwSpD3kpjj7R6F ZE5Tc7oGhsR7rJPFqkYZknIZCbtal/Up+muhhO6U27fx8shfSJMTYZyVsqQVsGYY9qZM U0Qw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=ELXWcFC3aEetKRDGyQcYFgvLPz5cP4K/kHjSzq1MPoM=; b=B8kkhOsmSHecwUt8mjlUnkqwpVEHrFDZ/YS72gfxxMeavlWmU3+yFT9zjge1AkuZE/ MgnauNj1l+RH/YgdGP52SIwwWLgu1RWr5T6YRKctHxKo7SsCB7ccppV+JNLwFWblmeBx +r5Xe3qPPApBP757ilCrndV4CLE06kEHPDVYbnPCYb4ahPl7VDhEg+0SfivhTezP/Z4m GI7j1OaZDgfqHOYJAv2LHKX0Ia1WC4wRb749psdJXUpU3X+yMxcuqlqJyD/gt+o8Mleg lNc1WJt9PE07kqCaR3Q5xecqmfk9jfMlvtbs2SJ7KNn/qZUI2IzJEnZNpfomgT0w/BlA IuUQ==
X-Gm-Message-State: AIVw1131o3ukOxMC+K7EswnpQFKRGAeBmgfTlwenGpV5SsRiKuoFCulN MiGQQSrwbtKTQDBBSQk=
X-Received: by with SMTP id o4mr13419617ite.157.1501045744691; Tue, 25 Jul 2017 22:09:04 -0700 (PDT)
Received: from ( []) by with ESMTPSA id b83sm5759028iod.35.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Jul 2017 22:09:04 -0700 (PDT)
To: Ben Campbell <>
References: <> <> <>
From: Jean-Marc Valin <>
Message-ID: <>
Date: Wed, 26 Jul 2017 01:09:02 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [codec] AD Evaluation of draft-ietf-codec-opus-update-07
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Codec WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Jul 2017 05:09:08 -0000

Just submitted version -08 addressing your last set of comments. See
below for details.

On 26/07/17 12:41 AM, Ben Campbell wrote:
> I suggest adding a sentence to the effect of the following after “…
> associated text description.”:
> "That RFC includes the reference decoder implementation as Appendix
> A."


>> This document fixes two security issues reported on Opus and that 
>> affect the reference implementation in RFC 6716 [RFC6716]: CVE- 
>> 2013-0899 and CVE-2017-0381.  CVE-2013-0899 is fixed by Section 4
>> and could theoretically cause information leak, but the leaked 
>> information would at the very least go through the decoder process 
>> before being accessible to the attacker.  Also, the bug can only
>> be triggered by Opus packets at least 24 MB in size.  CVE-2017-0381
>> is fixed by Section 7 as far as the authors are aware, could not
>> be
> Is there a missing word? It’s not clear if you mean to say that as
> far as the authors are aware it is fixed, or as far as the authors
> are aware it could not be exploited.

There was indeed a missing "and":

  CVE-2017-0381 is fixed by Section 7 and, as far as the authors
  are aware, could not be exploited in any way...

> Can you add some context about the CVEs, such as where they are
> reported and where they can be found?

Added links to the CVEs

> So, as I looked at the XML diff, I realize the emphasis is added
> using XML tags rather than by hand entering the underscores. So I may
> have been incorrect to say they have no meaning in the context of an
> RFC :-)   I think the text is still better without them, but do not
> have strong feelings if you prefer to keep them.

I agree that the underscores weren't adding much, so I'm leaving them out.